[ANE-2235] Add support for PNPM v9 lockfile format #1501
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Handle package keys without leading slash in v9 format 2. Add support for catalog versions (workspace:*) in v9 format 3. Improve version normalization and handling 4. Add more test cases and documentation
|
Integration test is consistently failing for me in GH and locally. TL;DR it’s |
- Add catalogs field to PnpmLockfile type - Create CatalogMap and CatalogEntry types for parsing catalog data - Add getPackageVersion helper to resolve catalog versions - Update version parsing to properly handle v7-v9 lockfiles
ryanlink
changed the title
ryanlink
changed the title
- Track dev dependencies from importers section - Consider both importers and packages sections when determining dev status - Pass dev dependency status through dependency resolution chain - Update toDependency to combine isDev flags from both sources
- Rename version field in CatalogEntry to catalogVersion to avoid collision with ProjectMapDepMetadata
- Use parseJSON instead of undefined parseCatalogEntry
- Use fully qualified Yaml.parseJSON to fix compilation error
- Add KeyMap import - Convert Object to Map Text using KeyMap.toMap
|
@csasarak Sorry I've made a big mess of this branch. Considering reverting my commits to restore to where you were, as I've been creating cascading issues. I'll start another branch for my experiments. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Changes
This PR improves the PNPM v9 lockfile parsing to correctly handle:
workspace:*orworkspace:^1.0.0)Implementation Details
catalogsfield toPnpmLockfiletype to parse the new catalog sectionCatalogMapandCatalogEntrytypes to properly handle catalog entriesgetPackageVersionhelper to resolve catalog version referencesPnpmLockGt6Fixes
This addresses several issues where:
Motivation
PNPM v9 introduced a new lockfile format that uses a catalog system for version management. This change ensures we can correctly parse these lockfiles and extract accurate dependency information.
Acceptance criteria
Using pnpm 9 with a v9 lockfile, all npm dependencies are correctly resolved with proper locators in the FOSSA UI.
Testing plan
Tested against PNPM's own repository (which uses v9 lockfile) to verify correct handling of:
Risks
Highlight any areas that you're unsure of, want feedback on, or want reviewers to pay particular attention to.
Example: I'm not sure I did X correctly, can reviewers please double-check that for me?
Metrics
Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it
References
https://fossa.atlassian.net/browse/ANE-2235
https://fossa.atlassian.net/browse/ANE-2177
https://teamfossa.slack.com/archives/C022BQWCR45/p1733495478363879
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.